๐Ÿ” CVE Alert

CVE-2026-46635

UNKNOWN 0.0

Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects)

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Twig is a template language for PHP. Prior to 3.26.0, the column filter passes object arrays to PHP array_column(), which reads public and magic properties without reaching CoreExtension::getAttribute() or SandboxExtension::checkPropertyAllowed(), allowing an untrusted template author with column in allowedFilters to read properties that are not in the sandbox allowlist. This issue is fixed in version 3.26.0.

CWE CWE-863
Vendor twigphp
Product twig
Published Jul 14, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for twigphp twig

Be the first to know when new unknown vulnerabilities affecting twigphp twig are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

twigphp / Twig
< 3.26.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/twigphp/Twig/security/advisories/GHSA-vcc8-phrv-43wj github.com: https://github.com/twigphp/Twig/commit/f05c5011c25caf17de37614b7e04662022532ac4 github.com: https://github.com/twigphp/Twig/releases/tag/v3.26.0